Important! This guide applies only to 3CX Phone System 11, it does not apply to 3CX Phone System 12 since the setup wizard makes the procedure automated now.
This guide describes how to configure 3CX Phone System 11 installed on IIS Web Server with HTTPS / SSL.
It's important to be running 3CX Phone System Version 11 Build 27011 or higher. This guide applies to 3CX Phone System deployments installed on IIS server 7.
An appropriate certificate is required. 3CX Phone System requires end users to be able to verify the server’s identity with the certificate generated. In this case you need to send a certificate request to a known Certificate Authority (CA) such as Thawte, VeriSign or Geotrust or you can obtain a certificate from an online CA – in this example we will use www.cacert.org
The process to have SSL configured for 3CX Phone System is split up into six parts:
- Part 1: Creating a Certificate Request in IIS WebServer
- Part 2: Sending the Certificate Request to the Certificate of Authority and Getting Back a Server Certificate
- Part 3: Completing the Certificate Request in Part 1 by Entering the Server Certificate Provided from the Certificate of Authority in Part 2
- Part 4: Importing the Root Certificate from the Certificate of Authority on the 3CX Server Machine and any Computer that will Access 3CX MyPhone
- Part 5: Modifying 3CX MyPhone Web Configuration File for HTTPS to Work
- Part 6: Creating the HTTPS Binding in IIS Web Server
Part 1: Creating a Certificate Request in IIS Web Server
- Access your 3CX Phone System server, choose "Start" > "Administrative Tools" > "Internet Information Services (IIS) Manager".
- In IIS Manager, choose your server name.
- In the Features View (the middle pane), double-click the "Server Certificates" option located under the Security heading.
- To begin the process of requesting a new certificate, choose the "Create Certificate Request" option from the Actions pane.
- In this example, the domain for which we are configuring SSL is voip3.alarm-system.com. In most cases, this has to be a domain. If you want to put an IP Address here, you will need to use an internal certificate of authority.
The common name should match the fully-qualified domain name for the site. Provide information about your site, making sure to spell out the name of your state and locality correctly. Click "Next" to continue. - The next screen of the wizard asks you to choose a Cryptographic service provider. The default, Microsoft RSA SChannel Cryptography Provider, works well. Select "2048" for the bit length. Click "Next" to continue.
- Finally, specify a filename for the certificate request. You will need the contents of this file in the next step, so make sure you know where to find it. In this example, the file name is named “voip3certificaterequest.txt”
Part 2: Sending the Certificate Request to the Certificate of Authority and Getting Back a Server Certificate
- Now that we have the certificate request, we need to send it to a trusted certificate of authority so the request can be completed. As a result we will get a Server Certificate. If you are using a trusted certificate of authority, follow their online documentation from this point onwards. In this example, we will use CACert to generate the server certificate for our 3CX Phone System server.
- Open a browser and browse to https://www.cacert.org. Create an account and once activated proceed to click on "Password login" to login.
- Locate the text file that contains the certificate request generated in Part 1. In our case, we named the file “voip3certificaterequest.txt”. Open the file using a text editor and copy all the contents. Go back to CAcert's site, click on "Server Certificates" > "New" and paste the text copied from the text file. You will notice that the certificate request will contain the common name. Press "Submit" to submit this request.
- On the next screen, CACert will generate the Server certificate. Copy the server certificate in it's entirety into a text file and name it “servercertificate.cer”.
Part 3: Completing a Certificate Request in IIS
- Now that we have the server certificate which contains the authorized response from the certificate authority we can go back to IIS server to complete the certificate request in IIS. Choose "Start" > "Administrative Tools" > "Internet Information Services (IIS) Manager".
- In the IIS Manager, choose your server name.
- In the Features pane (the middle pane), double-click the "Server Certificates" option located under the "Security" heading.
- Click "Complete Certificate Request" from the "Actions" pane.
- Enter the path to the cer file which contains the server certificate response from the previous step – in our example the file was named servercertificate.cer.
- Enter a friendly name – this name will be visible in IIS. To keep things simple, enter the domain used for the certificate.
- You should now see a new certificate in IIS with your domain name, in our case voip3.alarm-system.com.
Part 4: Importing the Root Certificate from the Certificate of Authority on the 3CX Server Machine and any Computer that will Access 3CX MyPhone
Since CA Cert’s root certificate is not shipped with Windows operating systems, we also need to download and install the Root Certificate and Intermediate Certificate. If you are using Thawte, Geotrust or Verisign, you can skip this step.
- From https://www.cacert.org/index.php?id=3 download the following:
Root Certificate (PEM Format) - https://www.cacert.org/certs/root.crt
Intermediate Certificate (PEM format) - https://www.cacert.org/certs/class3.crt.
Save these files in a folder on your disk. In our case, the folder is called voip3.alarm-system.com. - Next, "Click Start" > "Run" > Type "MMC" and press "Enter". From File select "Add or remove snap-in".
- Select Certificates and click "Add".
- On the next screen, select "computer account".
- Select local computer, so you access the certificate store on the local computer. Click "Finish".
- The selected snap-in is the one displayed on the right side. Press "OK" for MMC to open the Certificates (Local Computer) snap-in.
- The above screenshot shows all the certificates that are installed on the Local computer. Expand the "Certificates" node > "Trusted Root Certification Authorities" > "Certificates".
- Click "More" in the "Actions" pane (on the right) and select "All tasks" > "Import".
- The import certificate wizard will launch. Click "Next" to proceed.
- Click "Browse" and specify the Root certificate which was downloaded in the previous step. In our example, this is named "root.cer".
- Select the location where you want this certificate to be installed. In our case we want to install this in the "Trusted Root Certification Authorities store". Click "Next" to install the "Root Certificate" in this location.
- The root CA for CACERT is successfully imported and you will see it in the trusted certificates store in the MMC console.
Part 5: Configuring 3CX MyPhone to Work in HTTPS Mode
3CX MyPhone is a Silverlight application and requires a change to its configuration files, which needs to be done manually.
- From the 3CX Phone System Server computer, browse to the <C:\ProgramData\3CX\Data\Http\Interface\MyPhone> directory (where C:/ProgramData is the path to the common application data folder). Locate the file Web or Web.config and open it with a text editor.
- You will need to uncomment a line in this file. Search for 'uncomment the below line for HTTPS to work.'. The next line is the line that needs to be uncommented.
- After modifications this is how the endpoint line should look:
<endpoint address="" binding="pollingDuplexBinding" bindingConfiguration= "PubSubChunkedBinaryHTTPS" contract="Tcx.Assistant.IAssistPubSub" />
- Save and close the file when done.
Part 6: Creating the HTTPS Binding in IIS Web Server
- Access IIS Manager, expand Sites and click on 3CX Phone System Web Server.
- From the Actions pane, select Bindings.
- Click on the Add button to add a new binding to the 3CX Main Website.
- Configure the binding with the following options:
- Type: Select https as the protocol type
- IP Address: Select the IP Address of the 3CX Phone System Server from the dropdown list together with the port.
- SSL certificate: Select the SSL Server certificate you would like to use – in this example we will use the one we created – voip3.alarm-system.com
- Press OK to create this binding.
- The new binding will be visible in the Site bindings section.
You can now Access the these 3CX Websites as Follows:
- Management console: https://voip3.alarm-system.com/management or http://voip3.alarm-system.com:5000/management
- Web Reports: https://voip3.alarm-system.com/reports or http://voip3.alarm-system.com:5000/reports
- 3CX MyPhone: https://voip3.alarm-system.com/MyPhone or http://voip3.alarm-system.com:5000/MyPhone
Notes
- 3CX Wallboard does not support HTTPS.
- 3CX MyPhone requires the root certificate to be installed on each client computer that needs to access 3CX MyPhone. If you are using Thawte, VeriSign or GeoTrust, the root certificate is shipped with Windows. If you use any other Certificate Authority which does not ship the root certificate with Windows, you will need to repeat Part 4 on all the users' computers which need access to 3CX MyPhone. Failure to do so will cause 3CX MyPhone to work only with Internet Explorer.
- Alternatively you can use Group Policies to install the root or intermediate certificates on the computers in the domain.